All application logs ship to S3-compatible object storage with object-lock enabled — meaning a log written today cannot be modified or deleted before its retention period expires, even by an administrator with root credentials. Standard retention is 7 years, configurable per workload.
LUKS encryption on every NVMe device, with keys held in HashiCorp Vault under your control (you can rotate them on a schedule). Database-level encryption (PostgreSQL TDE-style with pgcrypto, or transparent column encryption) available on request for specific PII columns.
Infrastructure designed to run Strong Customer Authentication workflows reliably: redirect endpoints with sub-200 ms response, OTP delivery via UK SMS aggregators (EE/O2/Vodafone/Three), session state in Redis with low-latency replication, OAuth 2.0 and OIDC stacks pre-configured.
Production primary in one datacenter, hot or cold replica in another (Frankfurt ↔ Bucharest), failover runbooks documented and tested quarterly. RPO and RTO targets agreed contractually per workload (typical: RPO < 60s, RTO < 15min for tier-1).
Every workload comes with a data flow diagram showing where customer data lives, who touches it, and under what contract. Sub-processor list is versioned, notice given 30 days before any change, opt-out available for material changes.
A Data Processing Agreement under UK GDPR is part of the standard MSA — not an extra-cost add-on. Reviewed by external counsel, aligned with the ICO model clauses, signed by our Data Protection Officer. We can adapt for specific FCA expectations on request.
No. We are an infrastructure provider, not a regulated entity. We host fintech teams that ARE FCA authorised (or working towards it), and we provide hosting patterns that meet the regulator's expectations for systems and controls. Your compliance lead remains responsible for the regulatory status of your firm.
Yes. We are familiar with the SYSC 8 (Systems and Controls) and outsourcing arrangements expectations in the FCA Handbook. Send us your supplier risk template and we will complete it within 5 working days. We have completed assessments for clients regulated under FCA, PRA, CSSF (Luxembourg) and BaFin (Germany).
Our EU operating entity is preparing for ISO 27001 certification — we do not currently hold the certificate, so we do not claim it. We follow ISO 27001 Annex A controls operationally; happy to share our ISMS documentation under NDA for due diligence.
Yes. We have hosted teams testing against the Open Banking sandbox (formerly OBIE, now part of Pay.UK). The hosting pattern is the same as for production: separate environment, separate credentials, separate audit log stream. No special pricing for sandbox environments.
Within 72 hours of detection, as required by UK GDPR. Internal SLA is 12 hours from internal detection. We provide all forensic information needed for your own breach notifications to the ICO and to your FCA supervisor (where applicable).
Most regulated UK firms have a standardised vendor onboarding template. Send yours, and we will return it completed with our security controls, sub-processor list and DPA appendix attached. No high-pressure sales call afterwards.
